CVE-2024-33299 is a Cross Site Scripting (XSS) vulnerability identified in Microweber version 2.0.9, a content management system (CMS). The vulnerability exists in the /admin/module/view?type=users endpoint, specifically through the First Name and Last Name parameters. An attacker with authenticated access (high privileges) can inject malicious scripts into these parameters, which are not properly sanitized or encoded before being rendered. This allows arbitrary code execution within the context of the victim's browser session, potentially leading to session hijacking, defacement, or further exploitation of the administrative interface. The attack vector is remote network-based, requiring no user interaction beyond the attacker’s own authenticated session. The CVSS 3.1 base score of 4.7 reflects medium severity due to the requirement for authentication and limited impact on confidentiality, integrity, and availability. No public exploits have been reported yet, but the vulnerability poses a risk to organizations relying on Microweber 2.0.9 for website management. The root cause is improper input validation and output encoding of user-supplied data in the admin module user view endpoint, a classic CWE-79 scenario. Mitigation involves input sanitization, output encoding, and applying patches once available.

The primary impact of CVE-2024-33299 is the potential for an authenticated attacker to execute arbitrary scripts in the context of the Microweber administrative interface. This can lead to session hijacking, unauthorized actions performed on behalf of administrators, data leakage, or defacement of the website. Although the vulnerability requires high privilege authentication, it can still be exploited by insiders or attackers who have compromised credentials. The scope is limited to Microweber installations running version 2.0.9 or similar vulnerable versions. The impact on confidentiality, integrity, and availability is low to medium but can escalate if combined with other vulnerabilities or social engineering attacks. Organizations using Microweber for critical web services or e-commerce may face reputational damage and operational disruption if exploited.

1. Immediately restrict access to the /admin/module/view?type=users endpoint to trusted administrators only and monitor for suspicious activity. 2. Implement strict input validation and output encoding on the First Name and Last Name parameters to neutralize malicious scripts. 3. Apply any official patches or updates from Microweber as soon as they become available. 4. Use Web Application Firewalls (WAFs) with custom rules to detect and block XSS payloads targeting this endpoint. 5. Enforce strong authentication mechanisms and consider multi-factor authentication to reduce risk from compromised credentials. 6. Conduct regular security audits and penetration testing focused on administrative interfaces. 7. Educate administrators about the risks of XSS and safe handling of user input fields. 8. Monitor logs for unusual input patterns or error messages related to the vulnerable endpoint.